A server storing sensitive patient information for more than 230,000 people was breached by unknown hackers so they could use its resources to host the wildly popular Call of Duty: Black Ops computer game.
New Hampshire-based Seacoast Radiology warned patients on Tuesday that the hacked server stored their names, social …

Ugh...

I'm reading sentences like this a lot recently:

"spoof their IP address"

If you spoof your IP address you will not receive the data. If you HIDE your IP address with the likes of Tor you certainly won't be playing Call of Duty. If you login to a server and change the log files such that your IP is hidden that is also not spoofing.

Spoof

Yep, although not just recently. People have been getting all confused about that for years, It's a useful indicator to tell if if they have any clue what they're talking about, which usually, they don't.

Yeah... Right

And you certainly would not be playing call of duty on an American server from Scandinavia. The latency is sufficient to make any hard core gamer choke on their beverage of choice at the mere suggestion of doing so.

erm...

You use Tor to comprimise the machine and set it up as a game server.

Then you don't use Tor to connect as a regular player (not doing anything wrong!) and enjoy.

I would doubt it was a scandinaivan who comprimised the machine, It would be a local player wanting a good ping. However since Tor is popular in scandinavia I would guess that Tor was used to comprimise the machine, hence looking like a scandinavian hack.

@Anton Ivanov

@Anton Ivanov, you make a very good point, (which seems to be overlooked by a lot of people judging from your votes up).

Scandinavian gamers/hackers wouldn't use an American server, the ping would easily be up in the hundreds of milliseconds. That may not sound like much latency to non-gamers, but it would be laughed at as unusable and pointless by gamers.

I wonder if this is an insider job so to speak, where it could simply have been setup by an in house IT worker as a gaming server for him and some friends, all likely based in America. Maybe someone tried to connect from Scandinavia but I doubt they would have got far in the game. There may very well have been no actual hacker, but simply some IT worker using the medical server as a gaming server and now its been found, they know they are in trouble and so are trying to cover up what they did by saying, oh it was hackers, I'll help you find them. Problem is the paranoia around the word "hacking" these days could easily result in non-technical managers freaking out at the word "hacker" in association with their beloved servers. Which would just dig a bigger hole for the worried IT worker.

(I've even worked in companies where we have put gaming servers on office servers, its just the bosses were ok with it (in one case, they even joined in :) ).

Also a gaming server is likely to be a lot of data, when adding in all the maps data, so whilst not impossible to upload, its a major pain to upload it all. Much easier to install if you just do it via an internal intranet connection.

I bet its just a now somewhat worried IT worker, trying to say it was hackers. :)

Wot? Laggy?

"Scandinavian gamers/hackers wouldn't use an American server, the ping would easily be up in the hundreds of milliseconds. That may not sound like much latency to non-gamers, but it would be laughed at as unusable and pointless by gamers."

WHAT?!?! IIRC, the official definition of an LPB was < 200ms ping rates. When did 100 start to classify as "high ping"? Granted, something like 450-500 would brand you an HPB even in the old days of dialup, but associating three-digits to "high ping" is an exaggeration.

Or why the data was not encrypted?

inside job

@as to why

I would guess that the system owners would rather spend limited money on patient care than internet security. No-one ever values insurance of any kind, and enhanced security is particularly irritating because you never hear when it works.

Why?

As for why what looks like the server of a specialty radiology outfit was open to the internet I'd guess they need to exchange HL7 messages with the doctors who ordered the pictures.

You go to your GP with a set of symptoms, the GP orders some kind of radiological pictures from a dedicated lab and would like to get them back electronically. Medical systems increasingly needs internet access to talk to each other. No excuse for the lax security of course, and the data should be encrypted on disk anyway...

In the world of the lowest bidder local ecryption won't be happening untill it's reqired explicitly by law.

RE: Ummm

Seriously

There's a sysadmin somewhere needs to be sacked. Why was a machine hosting database services containing sensitive data attached to the internet? If remote access of this was required, have they not heard of VPNs?

HL7 Messages...

...being essentially just a bunch of XML junk, can be relayed via a web server. I'd be rather cautious about sending that sort of thing over the interweb anyway. What with the identifying patient data that they contain. The proper solution for that would be for the GP to log into a secure server and relay any data through a password-secured VPN, avoiding the unencrypted net entirely.

Also, AFAIK, HL7 messages wouldn't contain pictures, unless there's something in the spec that I don't know about (entirely possible). The use I know for them is to relay clinical information, such as dates and times of hospital visits between modeical systems.

Certainly in the UK, the NHS does require proper security on this sort of data by law. This may not be so in the US, but should be.

Not Encrypted?

heh

I reckon about a quarter of the first person shooter servers you see on game browsers are running on boxes like this, hosting these things can be a major expense (especially large 32 -> 64 people games.)

A lot like xdcc servers. Why would people host stuff at a cost to themselves when they can break into a high bandwidth poorly secured server somewhere and have them serve it instead.

Then most of the people using the resource have no idea it was nicked as it just appears as something like "MarkBot" in the case of xdcc or "-=NigHtWinZ0rZ=- 64 man carnage machine" - in the case of an fps.

but hey ho, don't secure your network and worse still don't monitor your systems, these things happen to you. Right or wrong, that's just the way the world is.

I don't suppose children have access to that sort of money

if daddy isn't willing to fund their gaming beyond the initial outlay. On the other hand, many children are quite PC-literate, therefore "borrowing" someone else's server is an obvious solution (albeit illegal, immoral, etc.).

QuakeWorld servers

Reminds me of those days when we set up the least-used PCs in campus with the QuakeWorld server, CTF maps, Serv-U FTP for updates & patching and a nifty "hide these windows plz" program so the sysadmins wouldn't find out our server.

Ah, the days before NAT and Firewalls, when everyone had a globally routeable IP...

Yeah right...

Ah, memories...

Of the time me and the rest of the class of computer systems students all joined the sysadmin's quake server at college *many* moons ago. Somebody spotted they were running dedicated server in their little office. Since they oh so helpfully put a little sticker on the front of each machine with it's IP written on, it would've been rude not to frag them to pieces, no?....

modern docs need roaming access to patients

@AC : the server is probably part of the Electronic Patient File system, allowing doctors to access a patient medical history and info from anywhere in the hospital and likely also remotely. no suprise there.

Numpty

Open for local intranet use, sure, that's obvious. But "...and likely also remotely." fails. Remote access to a company's servers usually involves a VPN connection to the firewall. If they did (unlikely) just stick this machine in the DMZ or outside the firewall, then yes, they should be sacked. Assuming that is what they did? No, I don't see it. Even a radiology clinic with no IT staff would still be behind a DSL/cable modem/router with a built-in firewall and the machine given a 192.168.0.0/16 address. at the very least. So, the "breach" was likely port-forwards or other security slight. Granted, since they had a CoD server running, that means they had port-forward capability on the firewall/modem/etc or the machine WAS in the DMZ....still, fail for assuming and not thinking it through.

If they've fixed THE problem.. they haven't fixed the problem.

Bandwidth?

seriously, hosting a COD server used a huge amount of bandwidth? That doesn't make sense - the bandwidth used to connect to a game server is pretty small, it has to be or the game would lag like a bitch. To make any kind of impact they'd have to be hosting and serving patches and all sorts of other stuff - unless of course this NHS machine wasn't actually doing anything much in the first place which would be a bit of a shock. The NHS doesn't waste money on IT hardware, now does it.

I'm on the Playstation network, so I know all about lag. Wish there was a way to set up dedicated servers on PSN.

HIPAA?

HIPAA & Electronic Info

HIPAA has actually very little to do with specific regulation on technology and how it relates to the storage of electronic information. I was shocked at how little of a ruling it has over how data is stored/compromised, etc.

COD Black Ops

Internet Routing/Response Times

Some seem to believe that speed would be a factor in this situation, and that it could have only been an inside job, because response times to Scandinavia would be slow.

It seems that some may be unclear about the way internet routing, and its protocols such as BGP (Border Gateway Protocol), actually works.

I have connected to servers all over the world, even for gaming, with latency times well below 100ms.

This is, my dear friends, because the response times/latency has NOTHING to do with LOCATION. It has to do with the number of hops it takes between YOU and YOUR DESTINATION IP, and those individual routers' load at the time of traffic passthrough.

Just because it's in a different country does not mean that the response times are going to be all that bad.

In some cases, your response times to servers outside your country will be better than within.

Internet response times are not measured with units such as Kilometers or Miles.

People who live in glass houses...

It looks like the lid was left off the acronyms box again and someone is waving one around to try to gain credibility.

The routing protocol used has almost nothing to do with WAN latency. There are many choices, each with their advantages and disadvantages.

The fact is though, that there is a direct relationship between the distance between two points and the minimum latency for data transmission between them. It happens to be pretty close to the speed of light.

That would only give you the minimum, however. In practice the actual time taken will be increased because very few circuits follow a straight line path between two points.

@Stuart

"That would only give you the minimum, however. In practice the actual time taken will be increased because very few circuits follow a straight line path between two points."

So, I read this as: "I agree with your assessment that physical distance has no bearing on response times".

----

"It looks like the lid was left off the acronyms box again and someone is waving one around to try to gain credibility."

Okay. If you look at, and COMPREHEND, my writing, you'll notice the two, ever-so-special words "SUCH AS", as in "for example". Thus, I am not using that acronyms to spout knowledge, but merely using it as an example of an internet protocol.

----

The speed of light only applies when fiber optics are the cables used, and even then, there is latency buildup, and repeaters are needed (because the signal deteriorates given that we have not perfected fiber-optics, and there are still impurities). This is demonstrated by the basic PHYSICS properties of current fiber optic technology. Thus making link speed variable.

"People with the smarts to...."

"People with the smarts to compromise a medical group's server also have the ability to spoof their IP address."

Wat? They're doctors, radiologists, nurses and secretaries! Not 1337 h4x0rz. They go apeshit about HIPPA because their insurance company tells them to. They neither know nor care why they shouldn't be using ie6 anymore. Medical professionals aren't usually IT experts.

Wot? Laggy? @ Daniel B

A ping time of 100 - 150ms is considered laggy but playable. Above that is is just unplayable. The lower the ping, the better an edge you have as your 'reactions' are quicker. I was getting 5ms on Virgin cable, now that was fun!